b'2008 FISMA Executive Summary\nReport\n\n        PUBLIC REDACTED VERSION\n\n\n\n\n                           September 29, 2008\n                                Report No. 451\n\x0c                          4B   MEMORANDUM\n\n                                  September 29, 2008\n\nTo:            Lew Walker, Acting Chief Information Officer\n\nFrom:          H. David Kotz, Inspector General\n\nSubject:       2008 FISMA Executive Summary Report, Report No. 451\n\nThis memorandum transmits the Securities and Exchange Commission, Office of\nInspector General\xe2\x80\x99s (OIG) 2008 Federal Information Security Management Act (FISMA)\nExecutive Summary report. This report details our responses to Section C of the Office\nof Management and Budget FISMA template. The information in the report is provided\nas a result of our coordination and input from the Office of Information Technology\n(OIT) and the Senior Agency Official for Privacy and was used to form a consolidated SEC\nresponse.\n\n\nThe final report consists of three recommendations that are addressed to the OIT. OIT\nconcurred with all of the recommendations and indicated that appropriate action will be\ntaken. In addition to responding to the recommendations, OIT provided comments to\nthe draft report.\n\nShould you have any questions regarding this report, please contact Jacqueline Wilson\nat 202\xe2\x80\x90551\xe2\x80\x906326.\n\nAttachment\n\ncc:\t    Peter Uhlmann, Chief of Staff\n        Diego Ruiz, Executive Director, Office of the Executive Director\n        Ralph Mosios, Acting Chief Security Officer, Office of Information Technology\n        Barbara Stance, Chief Privacy Office, Office of Information Technology\n        Darlene Pryor, Management Analyst, Office of the Executive Director\n\n        Rick Hillman, Managing Director of Financial Markets and Community\n          Investment, GAO\n\n               P U B L I C      R E D A C T E D         V E R S I O N\n\n2008 FISMA Executive Summary Report                                   September 29, 2008\nReport No. 451\n                                       Page 1 of 6\n\x0c                            E XECUTIVE SUMMARY\n                            0B\n\n\n\n\nIn June 2008, the U.S Securities and Exchange Commission (SEC), Office of Inspector\nGeneral (OIG), contracted with the Electronic Consulting Services, Inc. (ECS) to assist\nwith the completion and coordination of OIG\xe2\x80\x99s input to the SEC\xe2\x80\x99s response to the Office\nof Management and Budget (OMB) Memorandum M\xe2\x80\x9008\xe2\x80\x9021. The Memorandum provides\ninstructions and templates for meeting the FY 2008 reporting requirements under the\nFederal Information Security Management Act of 2002 (FISMA) Title III, Pub. L. No. 107\n347.\n\nECS commenced work on the project in early August 2008, when the final FISMA\ntemplates were promulgated by the OMB. ECS\xe2\x80\x99 principle tasks included the completion\nof the OIG portion of the templates and the development of an Executive Summary\nreport.\n\nB ACKGROUND\n10B\n\n\n\n\nFISMA provides the framework for securing the Federal government\xe2\x80\x99s information\ntechnology. All agencies must implement the requirements of FISMA and annually\nreport to the OMB and Congress the effectiveness of their Privacy and information\nsecurity program. OMB uses the information to help evaluate agency\xe2\x80\x90specific and\ngovernment\xe2\x80\x90wide privacy performance, development of its annual security report to\nCongress, assist in improving and maintaining adequate agency privacy performance,\nand inform development of the E\xe2\x80\x90Government Scorecard under the President\xe2\x80\x99s\nManagement Agenda.\n\nO BJECTIVES\n1B\n\n\n\n\nThe objectives of this report are to provide background information, clarification, and\nrecommendations regarding the OIG\xe2\x80\x99s response and input to Section C of the OMB\nreporting template. Generally, the reporting categories and questions were generally\nthe same as in 2007; however, there were some updates based on security and privacy\npolicies issued this year. The 2008 reporting topics for the OIG reporting template\ninclude:\n\n      \xe2\x80\xa2   FISMA Systems Inventory\n\n                P U B L I C      R E D A C T E D      V E R S I O N\n\n2008 FISMA Executive Summary Report                                 September 29, 2008\nReport No. 451\n                                      Page 2 of 6\n\x0c      \xe2\x80\xa2\t Certification and Accreditation, Security Controls Testing, and Contingency Plan\n         Testing\n\n      \xe2\x80\xa2\t Evaluation of Agency Oversight of Contractor Systems and Quality of Agency\n         System Inventory\n\n      \xe2\x80\xa2\t Evaluation of Agency Plan of Action and Milestone (POA&M) Process\n\n      \xe2\x80\xa2\t Inspector General (IG) Assessment of the Certification and Accreditation Process\n\n      \xe2\x80\xa2\t IG Assessment of the Agency Privacy Program\n\n      \xe2\x80\xa2\t IG Assessment of the Agency Privacy Impact Assessment (PIA) Process\n\n      \xe2\x80\xa2\t Configuration Management\n\n      \xe2\x80\xa2\t Incident Reporting\n\n      \xe2\x80\xa2\t Security Awareness Training\n\n      \xe2\x80\xa2\t Collaborative Web Technologies and Peer to Peer File Sharing\n\n      \xe2\x80\xa2\t E\xe2\x80\x90Authentication Risk Assessments\n\nThere are also some additional questions related to OMB Memorandum M\xe2\x80\x9008\xe2\x80\x9009 of\nJanuary 18, 2008, New FISMA Privacy Reporting Requirements for FY 2008.\n\nThe FISMA IG Reporting template contains responses to a fixed set of options designed\ninto the template. In some cases, the responses are either numeric or binary (yes/no).\nIn other cases, responses are limited to qualitative assessments (excellent, good, poor,\netc.), or percentages estimates (96% to 100%, 81% to 95%, etc.). The reporting\ntemplate also provides several fields for optional text comments.\n\nR ESULTS\n12B\n\n\n\n\nKey findings and results for the 2008 FISMA evaluation include:\n\n      \xe2\x80\xa2\t Our initial OIG evaluation of systems used by the Division of Enforcement for\n         referrals and the Office of Compliance Inspections and Examinations (OCIE) to\n         assist in the monitoring of registered advisers revealed there were no significant\n         issues.\n\n                 P U B L I C      R E D A C T E D        V E R S I O N\n\n2008 FISMA Executive Summary Report                                     September 29, 2008\nReport No. 451\n                                         Page 3 of 6\n\x0c   \xe2\x80\xa2\t The SEC operates a total of 49 systems. Forty\xe2\x80\x90four of the systems have been\n      evaluated as having moderate\xe2\x80\x90system impact levels. The remaining systems\n      were evaluated as having a low system impact level.\n\n   \xe2\x80\xa2\t SEC almost always performs oversight and evaluations to ensure information\n      systems used or operated by agency contractors, or other organizations on\n      behalf of the agency, to meet applicable requirements.\n\n   \xe2\x80\xa2\t The SEC has developed an inventory of major information systems.\n\n   \xe2\x80\xa2\t The SEC\xe2\x80\x99s POA&M process provides an effective roadmap for continuous security\n      improvement, assists with prioritizing corrective action and resource allocation,\n      and is a valuable management and oversight tool.\n\n   \xe2\x80\xa2\t The SEC\xe2\x80\x99s overall Certification and Accreditation program is assessed as good.\n\n   \xe2\x80\xa2\t The Privacy Office has made significant progress in its development of privacy\n      resources, in outreach within the SEC and Regional Offices, and in\n      benchmarking externally with other agencies.\n\n   \xe2\x80\xa2\t The SEC has developed and disseminated a formal, documented, configuration\n      management policy (implementation guidance) that satisfactorily addresses\n      security configuration management requirements.\n\n   \xe2\x80\xa2\t SEC systems implement common security configurations; including those\n      available through National Institute of Standards and Technology (NIST) most of\n      the time.\n\n   \xe2\x80\xa2\t SEC did not provide evidence            that   they   have    implemented        the\n      \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.. .\n\n\n\n\n              P U B L I C      R E D A C T E D        V E R S I O N\n\n2008 FISMA Executive Summary Report                                 September 29, 2008\nReport No. 451\n                                      Page 4 of 6\n\x0cS UMMARY OF RECOMMENDATIONS\n13B\n\n\n\n\n      1.\t OIT needs to complete the security controls and contingency plan testing for the\n          remaining systems.\n\n      2.\t OIT needs to address the requirements for _____________________, to include:\n\n         \xe2\x80\xa2\t Adopting and implementing the _____________________,.\n\n         \xe2\x80\xa2\t Modifying all contracts related to common security settings to include the\n            New Federal Acquisition Regulation 2007\xe2\x80\x90004 language.\n\n         \xe2\x80\xa2\t Implementing the for _____________________,.\n\n      3.\t OIG recommends that this Executive Summary Report, along with the completed\n          OIG Reporting Template (provided separately), be used to develop the SEC\xe2\x80\x99s\n          annual consolidated FISMA Report in accordance with OMB Memorandum M\n          08\xe2\x80\x9021.\n\n\n\n\n                 P U B L I C     R E D A C T E D         V E R S I O N\n\n2008 FISMA Executive Summary Report                                    September 29, 2008\nReport No. 451\n                                        Page 5 of 6\n\x0c                       AUDIT REQUEST AND IDEAS\n\nThe Office of Inspector General welcomes your input. If you would like to request an\naudit in the future or have an audit idea, please contact us at:\n\nU.S. Securities and Exchange Commission\nOffice of Inspector General\nAttn: Assistant Inspector General, Audits (Audit Request/Idea)\n100 F. Street N.E.\nWashington D.C. 20549\xe2\x80\x902736\n202\xe2\x80\x90551\xe2\x80\x906037\n202\xe2\x80\x90772\xe2\x80\x909265\nEmail: oig@sec.gov\n\n\n\n\n       Hotline\n       To report fraud, waste, abuse, and mismanagement at SEC,\n       contact the Office of Inspector General at:\n\n       Phone: 877.442.0854\n\n       Web-Based Hotline Complaint Form:\n       www.reportlineweb.com/sec_oig\n\n\n\n\n              P U B L I C       R E D A C T E D        V E R S I O N\n\n2008 FISMA Executive Summary Report                               September 29, 2008\nReport No. 451\n                                       Page 6 of 6\n\x0c'